Global Network Acceleration: Create a multinational, enterprise-class, dedicated network channel with Azure Front Door and ExpressRoute
In the IT architecture evolution of multinational enterprises, global offshore e-commerce or overseas SaaS platforms, network delay and jitter are often the "first killers" that stifle user experience ".
You must have encountered such a public network "name scene": the research and development team of the domestic headquarters has written the core API and deployed it in the cloud. When overseas branches or multinational buyers call, the traffic needs to cross thousands of kilometers of the Pacific Ocean. Due to public network congestion and the ruthless interconnection bottleneck (BGP jitter) between multinational operators, the original millisecond request directly soared to more than 3 seconds. The client frequently appears "loading" and "connection timeout", and finally even evolves into the core executives frequently stuck and PPT directly disconnected in cross-border video conferences.
The traditional approach is to buy expensive physical lines (MPLS) all over the world, or to replicate an identical set of databases and servers (multi-active architecture) in every overseas region. However, the physical dedicated line not only lasts several months for the approval process, but also the sky-high monthly rent can directly devour all the profits of the project. The synchronization of data consistency in different places brought about by the multi-active architecture can make the research and development team lose their hair.
In Microsoft's cloud-native network ecosystem, there is a set of "king-fry combinations" designed to ultimately open up the main arteries of the global network ":
Azure Front Door (Global Edge Acceleration Gateway) and Azure ExpressRoute (Cloud Dedicated Highway)
.
Its core logic is very overbearing:
The uncontrollability of the global public network is reduced to zero, and the world's top private backbone network built by Microsoft is completely replaced.
Today we reject any official didactic rhetoric and do not talk about boring textbook concepts. Directly from the hard-core industrial-level actual combat, you can use this combination of fists to quickly weld a low-latency, highly available and exclusive global network channel for multinational enterprises.
Phase I: Deep Dismantling, Transnational Accelerated "Joint Surgery Model of Internal Surgery and Surgery"
Before you go to the Azure console and click the mouse, you have to build a model of the physical world at the bottom of this fully managed network combination in your head. Many people can't tell the division of labor between Front Door and ExpressRoute. In fact, one of them is responsible for "global interception of the outer skin layer" and the other is responsible for "physical intubation of the visceral bone layer".
Skin Layer Protection: Azure Front Door (Security Gate for global users): Front Door is a fully managed, global edge load balancer based on the Anycast (Anycast) protocol. When users around the world initiate a request, the traffic will not directly cross the ocean, but within 1 second, it will hit Microsoft's edge computer rooms (PoP points) in hundreds of cities around the world. As soon as the traffic enters the PoP point, it is equivalent to breaking away from the muddy Internet public network and directly stepping on the global private backbone network that Microsoft has built at a cost of 10 billion US dollars and is isolated by all optical fibers. Here, Front Door leverages SSL offloading and TCP co-
The proposed optimization (Split TCP) compresses the originally long transoceanic handshake delay directly to a level that is imperceptible to the naked eye.
Skeletal intubation: Azure ExpressRoute (physical artery for enterprise computer room): if Front Door solves the acceleration of "global users to Microsoft cloud", then ExpressRoute solves the last step of "Microsoft cloud to enterprise local self-built data center (IDC/headquarters computer room). It skips the public network and directly pulls up an exclusive "physical intranet cannula" with unlimited bandwidth and absolutely fixed delay between your local computer room and Azure's intranet through the physical optical fiber of the telecom operator ".
Core Architecture Conclusion: When the two are combined into one, the traffic of global users will be intercepted by Front Door at the edge, quickly reach the cloud through Microsoft's global backbone network, and then enter your local headquarters computer room through the ExpressRoute line. The two networks are all "de-public", which is the top-level cross-border communication closed loop of modern large factory standards.
Phase II: Practical Exercise I-Configuring Azure Front Door to Blocking Global Edge Delay
Let's first simulate the first actual combat scenario: your core production API is deployed at the back end of East Asia (Hong Kong). Now we want overseas employees in Europe, America and Southeast Asia to have the same experience as sitting in the Hong Kong office when accessing the API.
Log in
Azure portal
, search and enter
“Front Door and CDN profiles”
Page.
1. Create a global acceleration market.
Click "Create" at the top, and it is recommended to directly select "Azure Front Door Premium" in the options (the advanced version comes with large factory high-security WAF, which is standard for sailing).
Click on "Quick create.
Basic configuration: select your resource group and name the Profile global-core-accelerator.
2. Weld dead front-end terminal and back-end source station (Endpoint & Origin)
Endpoint name (endpoint name): This is a unified domain name distributed to users around the world, such as api-global.azurefd.net (you can seamlessly bind your company's own domain name api.yourcompany.com).
Origin type: Select Custom, or select a VM or App Service based on your service. Enter the real public network IP or domain name of your current Hong Kong main server here.
Forwarding protocol (forwarding protocol): Firmly lock HTTPS
only
, let Front Door directly carry out SSL certificate handshake (SSL Offloading) at the global edge PoP point, and completely unload the heavy encrypted computing pressure from your Hong Kong server.
Click Create. The Microsoft deployment engine will take about 1 to 2 minutes to synchronize this set of accelerated routing and WAF firewall policies to edge gateways in hundreds of major cities around the world.
The third stage: actual combat exercise ii-opening up the main artery of Azure ExpressRoute physical dedicated line
The front-end closure has been completed, and now we are going to open a physical dedicated line from Azure Cloud Virtual Network (VNet) to the self-built computer room of the local Shanghai headquarters.
Step 1: In the cloud to claim ExpressRoute exclusive "pass" (Circuit)
Search for "ExpressRoute circuits" in the Azure console and click Create.
Provider (Service Provider): Select the corresponding operator (such as China Telecom, China Unicom, or Megaport and Equinix commonly used by large factories) according to the physical location of your local data center.
Peering location (Peering Location): Select the physical access point (such as Hong Kong or Shanghai) that your leased line pulls into the cloud.
Bandwidth (Bandwidth): Choose by budget (e. g. 100Mbps to 10Gbps).
SKU: Select "Standard" or "Premium" (Premium support cross-border interconnection).
Click Create. When successful, Azure will display a very core code on the screen:
"Service Key"
.
Hard core pit avoidance action: copy this string of Service Key and send it to your telecom operator's account manager. After receiving this Key, the operator will pull the optical fiber to your company in their physical computer room and make physical "wire connection" with the switch of Microsoft cloud. When the status changes to Provisioned (configured), the physical fiber is fully connected!
Step 2: Set up a dedicated "network mail room" in the cloud (gateway connection)
The physical line is ready, but how can the traffic of the leased line communicate with the virtual machines in the cloud? We need to build a "network mail room" in the cloud ".
Go to your virtual network (VNet) and click Create Virtual network gateway (Virtual Network Gateway).
Gateway type (gateway type): you must identify the "ExpressRoute" and do not select the wrong normal VPN gateway.
After the gateway is created (usually takes 20 minutes), click to enter the gateway and find it.
"Connections" (Connect), click Add.
Bind the ExpressRoute Circuit you just built in the connection type.
At this point,
From global users-> Microsoft Edge PoP(Front Door) -> Microsoft Cloud Virtual Network (VNet) -> Physical leased line (ExpressRoute) -> Enterprise self-built computer room
The full link pure intranet closed loop, completely full line through!
The fourth stage: witness the scene of the miracle -- cross-border network physical investigation test
After the whole line is opened, we don't need to gamble by feeling, and directly use the standard network test instructions to see how horrible this exclusive cross-border channel is.
Let an outsourcing team developer in London, Europe or Silicon Valley in the United States directly access the Hong Kong origin station with public network IP and accelerate domain name access through Front Door's global unification in their local computer terminals:
Bash
# Test 1: Direct Long March Across Public Network to Visit Hong Kong Source Station
curl -o /dev/null -s -w %{time_connect} https:// Real IP address of Hong Kong origin/api/v1/status
# Test 2: Global access via Azure Front Door
curl -o /dev/null -s -w %{time_connect} https://api-global.azurefd.net/api/v1/status
Shocking test data comparison
Test 1 (public network): due to numerous uncontrollable public network BGP nodes and international exit interception, the time_connect(TCP handshake time) usually shakes violently between 280ms and 450ms, and the packet loss rate often soars to more than 5%.
Test 2 (Front Door channel): As soon as users in London or Silicon Valley go out, they crash into the local Microsoft PoP point within a few milliseconds and complete the TCP handshake at the edge. The time_connect will drop suddenly and stabilize between 3ms and 8ms.
The user clicks on the App at the front end, and the page opens in seconds. Because the remaining thousands of kilometers traveled long distances, the traffic was running through Microsoft's backbone network with nearly light speed and zero packet loss rate.
The fifth stage: the history of avoiding the pit and tears under the transnational network architecture.
After this seamless architecture runs, the communication experience of multinational enterprises is perfect. But to survive a true business audit and an extremely complex multinational network environment, as the chief network architect, you must immediately weld the following two bottom-line avoidance specifications for operations:
1. The deadly "compliance pit"-the "minefield" of transnational transmission"
Many teams were excited after they got through the network and directly transferred the domestic
All operations of the headquarters and overseas branches (including traffic involving sensitive data) are transmitted to each other in full through this artery.
Disaster: Cross-border network transmission has extremely strict compliance lines in laws and regulations (such as China's cross-border data outbound compliance audit, European GDPR, etc.). If you establish an undocumented cross-border physical line or transmit specific core data without audit, you may face an administrative penalty of cutting off the entire link or even a huge fine.
Dachang Standard Pit-Avoidance Operation: When using ExpressRoute cross-border links, it is necessary to ensure that complete corporate Chinese and English qualifications are submitted to official compliance operators (such as China Telecom, China Unicom, etc.) holding cross-border telecommunications business licenses for compliance filing. For cross-border businesses, sensitive "user personal privacy data" is stored locally overseas (for example, European data is kept in Western European computer rooms) through URL routing policies at the Front Door layer, and only desensitized business instructions and statistical report traffic are released back to the headquarters through dedicated lines. Architecture compliance is the first high-voltage line of multinational IT.
2. It is strictly forbidden to expose ExpressRoute dedicated lines to the public network "streaking"
Many novices believe that since the ExpressRoute is a physical optical fiber dedicated line, it is absolutely impossible for hackers to hack in from the public network, so they do not add any encryption to the data transmitted in the internal network, and even leave the password of the routing protocol (BGP) empty.
Dangerous insider: although the leased line does not go through the public network, it still has to pass through the physical computer room and shared switch (Meet-me room) of the third-party operator. Once the operator's computer room encounters an insider or hardware configuration error, your intranet traffic is still at risk of being monitored or bypassed.
Hard core reinforcement specification: on top of the dedicated line, another layer of skin (VPN over ExpressRoute). In the high-standard security architecture of large factories, even if the ExpressRoute is built, a high-strength encrypted VPN tunnel based on IPsec must be forcibly pulled up on top of the private peer-to-peer interconnection (Private Peering) of the dedicated line. Let all the data soaring in the dedicated line complete the secondary strong encryption controlled by the enterprise before leaving the computer room. In this way, even if the physical fiber is cut off and sniffed, the hacker gets only a bunch of meaningless random codes.
Summary
Using Azure Front Door and ExpressRoute to build a multinational enterprise-class exclusive network channel, the core industrial essence actually lies in 16 words:
Edge Interception, Backbone Charge, Physical Intubation, Compliance Locking
.
You have completely bid farewell to the original passive state of looking at the faces of public network operators and being afraid of the paralysis of transoceanic networks. The tedious global route optimization, high anti-cleaning and long-distance transmission are fully hosted to the top infrastructure of Yunda Factory. While enjoying the extreme pleasure of global users shouting "seconds on", the digital rear of your entire multinational empire will be as stable as Thailand.
Mountain.
